Dump Up The Kids

Not even a single day has passed since the raid of the Italian Police against some alleged Italian Anonymous members, and a new hacker group, whose name LulzStorm reminds unequivocally the Lulz Boat, has been the author of a clamorous action of hacking against several Italian universities.

On July the 6th, the “Silence of the Tweets” following the Italian Police raids has been broken by @LulzStorm (which had not been taking part to #opitaly until then) with some tweets announcing the availability of the Italian University Dump.

That tweet has broken the silence in which @anonitaly and @LulzSecITALY had apparently fallen, and, as easily predictable, has immediately been retwitted all over the web at incredible speed.

Is not clear if the attack was perpetrated as a revenge for the campaign against the “Italian Chapter” of Anonymous, but, of course, it had ample space on media, rasing many questions and concerns even among non-professionals. The chancellors of the affected universities (among which “La Sapienza di Roma and the Politecnico di Milano, etc), immediately replied that the deployed countermeasures were able to stop the attack and in many cases no sensitive data were stolen.

Even if the attack details have not been unleashed, it looks like this might be yet another occurrence of an SQL Injection attack which may be considered the real lethal weapon of this tremendous 2011 (if we do not consider DDoS attacks which are not considered an elegant vector by “purists”). I do not know if, as Veracode claims, 10.000 bucks would have prevented the Sony Breach, but for sure more secure coding and a more efficient deploying of Web/DB firewall are necessarily needed.

Another aspects concerns the Italian 193/2006 law, which in theory obliges each institutions managing sensitive data (such as passwords), to keep them encrypted. Regulations are useless if not properly audited: I must confess I had the opportunity to analyze the torrent and I may confirm that in several cases leaked data include e-mails and passwords in clear. As a consequence, the question among infosec professionals is legitimate: why those data were not stored in compliance with the above quoted law? Regardless of the method used, if the attackers meant to show security weaknesses (in technology and regulations) probably they were successful, up to the point that several lawyers with expert knowledge in privacy claim that students may in theory obtain compensation for damage caused by poor security measures taken by universities.

In any case the declarations made by the Italian Anonymous suggest that this could only be the first occurrence. Are we ready for that?